b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Increased IRS Oversight of State Agencies Is\n                 Needed to Ensure Federal Tax Information\n                               Is Protected\n\n\n\n                                         September 2005\n\n                              Reference Number: 2005-20-184\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Web Site          | http://www.tigta.gov\n\x0c                                               DEPARTMENT OF THE TREASURY\n                                                     WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            September 30, 2005\n\n\n MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n\n FROM:                       Pamela J. Gardiner\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Increased IRS Oversight of State Agencies Is\n                             Needed to Ensure Federal Tax Information Is Protected\n                             (Audit # 200520005)\n\n This report presents the results of our review of security of Federal tax information provided to\n State agencies. The overall objective of this review was to determine whether State tax agencies\n were protecting Federal tax information from unauthorized use and disclosure.\n Section 6103 of the Internal Revenue Code1 requires the Internal Revenue Service (IRS) to\n disclose Federal tax information to various State and Federal Government agencies. State tax\n agencies can use this information to identify nonfilers of State tax returns, determine\n discrepancies in the reporting of income, locate delinquent taxpayers, and determine whether IRS\n adjustments have State tax consequences. Due to the sensitivity of Federal tax information and\n the potential for its misuse for identity theft, the States are required to have adequate controls in\n place to prevent unauthorized disclosures of the tax information.\n\n Synopsis\n In February 2003, we issued a report2 in which we concluded that Federal tax information was at\n risk while in the possession of State tax agencies. We recommended the IRS broaden the scope\n of its reviews of States receiving Federal tax information to include a more comprehensive\n review of computer security and hire or develop an adequate number of technically proficient\n staff to conduct those reviews. The IRS agreed with each of our recommendations.\n\n 1\n  Internal Revenue Code \xc2\xa7 6103 (2003).\n 2\n  Computer Security Weaknesses at State Agencies Put Federal Tax Information at Risk (Reference\n Number 2003-20-064, dated February 2003).\n\x0c                         Increased IRS Oversight of State Agencies Is Needed\n                            to Ensure Federal Tax Information Is Protected\n\n\n\n\nIn this review, we visited four large State tax agencies to which the IRS sends Federal tax\ninformation. At all four agencies, we identified significant weaknesses in physical security, user\naccount management, access controls, audit trails, intrusion detection, and firewall systems.\nThese weaknesses place Federal tax information at increased risk of unauthorized use or theft.\nHackers and unscrupulous State government employees could exploit these security weaknesses\nto gain unauthorized access to tax data.\nThe IRS requires the States to review security controls and submit the test results annually to the\nIRS. The reviews conducted by the States, however, do not adequately assess whether security\ncontrols are in place. The reviews performed by the four State tax agencies we visited did not\nidentify the security weaknesses we found. In addition, the scopes of the States\xe2\x80\x99 reviews did not\ncomply with the Federal Information Security Management Act (FISMA),3 which requires users\nof Federal tax data to test security controls annually using National Institute of Standards and\nTechnology (NIST)4 guidance.\nThe IRS has made improvements in its reviews of the States\xe2\x80\x99 security controls. The most\nsignificant change was reassigning responsibility for these reviews from the Office of\nGovernmental Liaison and Disclosure, within the Communications and Liaison Division, to the\nOffice of Mission Assurance and Security Services (MA&SS).\nMA&SS organization computer security specialists followed guidelines, prepared by a\ncontractor, in reviewing the security controls at the States. These guidelines represent a\nsignificant improvement from past practices by testing for more vulnerabilities. However, they\nstill do not comply with the NIST guidelines used for testing information systems in accordance\nwith the FISMA.\nAdditionally, the management information system used by the MA&SS organization to monitor\nthe status of corrective actions does not have the capability to record the corrective actions or the\nproposed completion dates of those actions. The States, then, are not held accountable for\naddressing weaknesses found during their tests and the tests conducted by the MA&SS\norganization.\n\nRecommendations\nTo reduce the opportunities for unauthorized use of Federal tax information at State agencies, we\nrecommended the Chief, MA&SS, obtain a formal decision from the Office of Management and\nBudget (OMB) as to the application of the FISMA computer security requirements to State\nagencies that receive Federal tax information. We recommended the Chief, MA&SS, require\n\n3\n Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n4\n The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for\nproviding adequate information security for all Federal Government agency operations and assets.\n                                                                                                          2\n\x0c                      Increased IRS Oversight of State Agencies Is Needed\n                         to Ensure Federal Tax Information Is Protected\n\n\n\n\nStates to submit more useful and indepth annual self-assessments using Recommended Security\nControls for Federal Information Systems (NIST Special Publication 800-53). These\nself-assessments should be used by the MA&SS organization to better focus the scope of its\nreviews, resulting in a more efficient use of resources. Additionally, if FISMA requirements are\ndetermined to apply to State agencies receiving Federal tax information, the Chief, MA&SS,\nshould require the States to submit the same documents required by Federal Government\nagencies to enable the MA&SS organization to monitor corrective actions and follow up on prior\nissues identified.\nTo improve the scope of reviews over States\xe2\x80\x99 security controls, we recommended the\nChief, MA&SS, ensure the IRS\xe2\x80\x99 reviews of States follow NIST Special Publication 800-53\nguidance. Finally, we recommended the Chief, MA&SS, assign additional staffing to oversee\nthe States\xe2\x80\x99 controls.\n\nResponse\nThe Chief, MA&SS, does not believe that FISMA requirements apply to State agencies receiving\nFederal tax information primarily because the agencies do not use the tax information on behalf\nof the IRS. Therefore, the Chief, MA&SS, disagreed with our first recommendation and did not\nseek a formal opinion from the OMB on this matter. Although the Chief, MA&SS, disagreed\nthat FISMA requirements apply to the States, he agreed to revise Tax Information Security\nGuidelines for Federal, State and Local Agencies (Publication 1075) to incorporate the\nrecommended security controls described in NIST Special Publication 800-53. Also the\nMA&SS organization will use Plans of Actions and Milestones as part of a new process to better\nmanage recommended corrective actions. In addition, the Chief, MA&SS, will improve the\nscope of IRS Safeguard Reviews by incorporating appropriate NIST Special Publication 800-53\nsecurity controls into the computer security Safeguard Review process. Finally, the\nChief, MA&SS, agreed with our recommendation to assign additional staffing to oversee the\nStates\xe2\x80\x99 controls and will determine the staffing needs for the additional workload items presented\nin this report. In the interim, MA&SS organization personnel have been identified to assist in\nconducting the computer security reviews. Management\xe2\x80\x99s complete response to the draft report\nis included as Appendix IV.\n\nOffice of Audit Comment\nWe do not agree with the IRS that FISMA requirements do not apply to State agencies receiving\nFederal tax information. Based on FISMA reporting guidance provided by the OMB for\nFiscal Year 2005, we believe the OMB intends for the FISMA requirements to apply to State\nagencies receiving Federal tax information. To resolve this matter, we have requested a formal\nopinion from the OMB.\n\n                                                                                             3\n\x0c                     Increased IRS Oversight of State Agencies Is Needed\n                        to Ensure Federal Tax Information Is Protected\n\n\n\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                         4\n\x0c                               Increased IRS Oversight of State Agencies Is Needed\n                                  to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                               Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Computer Weaknesses Continue to Exist at State Tax Agencies,\n          Jeopardizing the Security of Federal Tax Information ............................. Page 3\n                    Recommendation 1:..........................................................Page 6\n\n                    Recommendations 2 and 3: ......................................................... Page 7\n\n                    Recommendation 4: .................................................................... Page 8\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 11\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 12\n\x0c                         Increased IRS Oversight of State Agencies Is Needed\n                            to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                           Background\n\nSection 6103 of the Internal Revenue Code1 requires the Internal Revenue Service (IRS) to\ndisclose Federal tax information to various State and Federal Government agencies. State tax\nagencies can use this information to identify nonfilers of State tax returns, determine\ndiscrepancies in the reporting of income, locate delinquent taxpayers, and determine whether IRS\nadjustments have State tax consequences.\nAs a condition for receiving Federal tax information, State tax agencies must have physical and\ncomputer system safeguards designed to prevent unauthorized accesses and use of this\ninformation. Before a State tax agency receives Federal tax information, it must submit a\nSafeguard Procedures Report to the IRS for approval. The Report describes how the State will\nprotect and safeguard the tax information. In addition, States are required to annually file a\nSafeguard Activity Report to report any changes to their safeguard procedures, advise the IRS of\nfuture actions that will affect safeguard procedures, and certify they are protecting the data.\nThe Federal Information Security Management Act (FISMA)2 also requires the IRS to provide\noversight to ensure the States have adequate security controls in place to protect Federal tax\ninformation. The IRS is responsible for overseeing security over Federal tax information for\n276 Federal Government and State entities. Balancing priorities is clearly an issue; however, the\nOffice of Management and Budget (OMB) has stressed the need for oversight of entities\nreceiving sensitive Federal Government information and evaluates agencies\xe2\x80\x99 oversight activities\nthrough the FISMA reporting process.\nPrior to October 2003, the IRS Office of Governmental Liaison and Disclosure, within the\nCommunications and Liaison Division, had primary responsibility for ensuring security over tax\ninformation provided to State and Federal Government agencies. In October 2003, this oversight\nresponsibility was shifted to the Office of Mission Assurance and Security Services (MA&SS).\nIn February 2003, we issued a report3 in which we concluded that Federal tax information was at\nrisk while in the possession of State agencies. We recommended the IRS broaden the scope of\nits reviews of States receiving Federal tax information to include a more comprehensive review\nof computer security and hire or develop an adequate number of technically proficient staff to\nconduct those reviews. The IRS agreed with each of our recommendations.\n\n\n\n1\n  Internal Revenue Code \xc2\xa7 6103 (2003).\n2\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n3\n  Computer Security Weaknesses at State Agencies Put Federal Tax Information at Risk (Reference\nNumber 2003-20-064, dated February 2003).\n                                                                                                  Page 1\n\x0c                      Increased IRS Oversight of State Agencies Is Needed\n                         to Ensure Federal Tax Information Is Protected\n\n\n\nThis review was performed at the MA&SS organization offices in the IRS National Headquarters\nin Washington, D.C., during the period December 2004 through May 2005. We also visited and\nreviewed security at four large State tax agencies in Michigan, Illinois, New York, and Texas\nthat receive Federal tax information. We did not review the security of the data being shared\nwith nontax State agencies or Federal Government agencies. The audit was conducted in\naccordance with Government Auditing Standards. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                          Page 2\n\x0c                         Increased IRS Oversight of State Agencies Is Needed\n                            to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                     Results of Review\n\nComputer Weaknesses Continue to Exist at State Tax Agencies,\nJeopardizing the Security of Federal Tax Information\n\nWe identified significant security weaknesses at all four State tax agencies we reviewed. These\nweaknesses provide opportunities for hackers, disgruntled employees, and contractors to access\nFederal tax information for unauthorized use and identity theft purposes. The weaknesses\ncontinue because the States\xe2\x80\x99 self-assessments of security controls have not been adequate. In\naddition, while the IRS has improved its reviews of States\xe2\x80\x99 security controls, more oversight is\nneeded.\n\nControls to prevent hackers from attacking States\xe2\x80\x99 networks from the Internet are\nnot adequate\n\nSecurity weaknesses at Internet connections give hackers opportunities to exploit and gain\nunauthorized entry into the internal network. In accordance with the FISMA, the National\nInstitute of Standards and Technology (NIST)4 requires Federal Government agencies and those\nentities receiving Federal tax information to protect networks at Internet connections. Generally,\nfirewall computers and routers stop traffic from traveling from the Internet to an internal, trusted\nnetwork. Intrusion detection systems detect inappropriate, incorrect, or unusual activity on a\nnetwork.\nWe identified security weaknesses at Internet connections at all four State tax agencies we\nreviewed. The following weaknesses result in the States being unnecessarily vulnerable to\nattacks by hackers:\n    \xe2\x80\xa2   Firewall computers were not optimally configured and maintained to minimize the\n        possibility of an attack.\n    \xe2\x80\xa2   Password controls on firewalls and routers were weak. User names and passwords were\n        not required on some equipment and were sometimes shared by system administrators.\n        Unique user names and passwords help identify persons responsible for changes to router\n        settings. These weaknesses could allow unauthorized personnel to access connection\n        components and make unauthorized configuration changes.\n\n4\n The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for\nproviding adequate information security for all Federal Government agency operations and assets.\n                                                                                                          Page 3\n\x0c                      Increased IRS Oversight of State Agencies Is Needed\n                         to Ensure Federal Tax Information Is Protected\n\n\n\n   \xe2\x80\xa2   Activity logs and audit trail logs that contain details of accesses to systems were not\n       reviewed and analyzed. Consequently, the States were hindered in identifying and\n       investigating potential attacks.\n   \xe2\x80\xa2   Intrusion detection capabilities had not been installed at all connections. Intrusion\n       detection systems provide an organization the ability to monitor activity on its network\n       and look for suspicious and unauthorized actions.\n\nControls to prevent disgruntled employees and contractors from exploiting\nStates\xe2\x80\x99 networks are not adequate\n\nEmployees and contractors usually have more knowledge of systems than hackers and, as a\nresult, can often cause more damage. Sufficient management, operational, and technical controls\nare required for each system to limit the opportunities for misuse of data. We identified security\nweaknesses at all four State tax agencies that increased the risk that disgruntled employees and\ncontractors with access to the States\xe2\x80\x99 networks could gain unauthorized access to Federal tax\ninformation. Specifically:\n   \xe2\x80\xa2   Compact discs containing Federal tax information were stored in cabinets that remained\n       unlocked during work hours. Packages containing tapes with tax information were\n       opened in the mail room and left unsecured prior to delivery. Inventory controls were not\n       in place for a significant number of compact discs on hand and backup tapes stored\n       offsite. Employees\xe2\x80\x99 duties were not separated among receiving, accounting for, and\n       inventorying tapes. These practices make the tax information more susceptible to theft.\n   \xe2\x80\xa2   States could not determine when employees last accessed systems containing Federal tax\n       information.\n   \xe2\x80\xa2   Employees who no longer needed access to systems still had active user accounts.\n   \xe2\x80\xa2   End users\xe2\x80\x99 requests for access to Federal tax information were not documented.\n   \xe2\x80\xa2   One State had not provided logon warning messages to end users regarding the\n       consequences of misusing or inappropriately accessing Federal tax information.\n   \xe2\x80\xa2   None of the four State tax agencies reviewed audit trails to detect inappropriate access to\n       Federal tax information.\n\nThe States\xe2\x80\x99 self-assessments of security controls have not been adequate\n\nWe believe State agencies, as users of Federal tax information, are obligated to comply with the\nFISMA self-assessment security control requirements. We suggest States use Recommended\n\n                                                                                             Page 4\n\x0c                       Increased IRS Oversight of State Agencies Is Needed\n                          to Ensure Federal Tax Information Is Protected\n\n\n\nSecurity Controls for Federal Information Systems (NIST Special Publication 800-53) when\nperforming self-assessments of security controls. This Publication is applicable to all computers\nand systems containing sensitive data. It clearly outlines key security issues and guides users to\ndetermine whether policies and procedures have been developed, implemented, and tested.\nStates should be required to submit these self-assessments annually with their Safeguard Activity\nReports. The MA&SS organization could then use the self-assessments to focus the scope of its\nreviews and potentially reduce the staffing required to test computer security controls.\nThe most recent Safeguard Activity Reports prepared by the four State tax agencies we reviewed\ndo not adequately assess whether security controls are in place. None of the four agencies used\nthe NIST guidance, and the self-assessments they performed did not identify the security\nweaknesses we found. The self-assessments were limited in scope and did not adequately\ndescribe the steps taken to evaluate the controls.\nThese cursory reviews do not provide assurance to the IRS that States are meeting their\nresponsibilities for providing adequate computer security controls to protect Federal tax\ninformation. The IRS has accepted the annual reports without enforcing existing requirements\nfor reporting on controls.\n\nThe IRS Safeguard Reviews are inadequate and incomplete\n\nThe IRS\xe2\x80\x99 most recent Safeguard Reviews of the four State tax agencies did not identify the\nweaknesses we found. The IRS did not provide sufficient staffing to review States\xe2\x80\x99 security\ncontrols, and the reviews that were conducted were not sufficiently indepth to identify all critical\ncontrol weaknesses. In addition, the IRS did not use methods required by the FISMA to monitor\nactions to correct identified weaknesses.\nOne of the major considerations behind the transfer of responsibility for overseeing States\xe2\x80\x99\nsecurity controls to the MA&SS organization was the availability of technically proficient\ninformation technology staff to conduct the technical portions of the IRS Safeguard Reviews.\nHowever, due to budget constraints, only two computer security specialists were assigned to the\nMA&SS organization\xe2\x80\x99s Safeguards Program. Both specialists had been reassigned from the\nOffice of Governmental Liaison and Disclosure. The only additional staff provided by the\nMA&SS organization has been two individuals to perform ad hoc physical security reviews. To\nsupplement its staff, the MA&SS organization acquired contractor support for the technical\nportions of the Safeguard Reviews. However, IRS procedures require the MA&SS organization\nto review the security over Federal tax information at least once every 3 years for approximately\n276 Federal Government and State entities, thus requiring approximately 90 reviews each year.\nIn Fiscal Year 2004, the IRS conducted only 66 reviews, which included 26 State tax agencies,\n32 State child support and welfare agencies, and 8 Federal Government entities. Additional\nstaffing is needed to meet the IRS\xe2\x80\x99 oversight responsibilities.\n\n                                                                                             Page 5\n\x0c                       Increased IRS Oversight of State Agencies Is Needed\n                          to Ensure Federal Tax Information Is Protected\n\n\n\nIn addition, the scope of the reviews was not sufficient. The contractor hired by the IRS\ndeveloped 15 matrices that are used by the MA&SS organization specialists and the contractor\nstaff when evaluating the States\xe2\x80\x99 computer security controls. The matrices are designed to\nevaluate operating systems most commonly found in the States such as Windows 2000,\nWindows NT, and UNIX.\nThe matrices are an improvement from past practices because they test for more vulnerabilities.\nHowever, the matrices do not address controls prescribed in NIST Special Publication 800-53.\nApplication controls are the last line of defense in protecting the IRS\xe2\x80\x99 sensitive data. In addition,\nseveral controls that require human involvement are still not addressed, such as ensuring\nemployees with significant security responsibilities are adequately trained. The matrices also do\nnot address privacy issues, such as the unauthorized browsing and/or theft of Federal tax\ninformation while in the custody of the States.\nWe also determined the MA&SS organization\xe2\x80\x99s management information system does not track\nthe corrective actions planned by the agencies under review, nor does it track the actual\ncorrective action completion dates. The FISMA requires agencies to formulate Plans of Actions\nand Milestones to record all identified security weaknesses, list specific corrective actions to\naddress those weaknesses, and include dates by which those corrective actions will be\ncompleted.\nThe management information system used by the MA&SS organization to monitor the status of\ncorrective actions does not have the capability to record the corrective actions or the proposed\ncompletion dates of those actions. The States, then, are not held accountable for addressing\nweaknesses found during their tests and the tests conducted by the MA&SS organization. As a\nresult, the IRS cannot be certain that deficiencies found during Safeguard Reviews are timely\nand efficiently corrected.\n\n\nRecommendations\nTo reduce the opportunities for unauthorized use of Federal tax information at State agencies, the\nChief, MA&SS, should:\nRecommendation 1: Obtain a formal decision from the OMB as to the application of the\nFISMA computer security requirements for systems at State agencies that receive Federal tax\ninformation.\n       Management\xe2\x80\x99s Response: The Chief, MA&SS, disagreed with this recommendation\n       stating that, currently, FISMA legislation and the applicable NIST standards are not\n       mandated for the State agencies receiving Federal tax information because the State\n       agencies do not use the information for the benefit, aid, or support of the IRS. In\n       addition, State agencies are not accessing, connecting to, or using IRS major information\n\n\n                                                                                              Page 6\n\x0c                      Increased IRS Oversight of State Agencies Is Needed\n                         to Ensure Federal Tax Information Is Protected\n\n\n\n       systems to collect, maintain, process, store or transmit this information for, or on behalf\n       of, the IRS.\n       Office of Audit Comment: We do not agree with the IRS that FISMA requirements\n       do not apply to State agencies receiving Federal tax information. FISMA reporting\n       guidance provided by the OMB states, \xe2\x80\x9c\xe2\x80\xa6 agency IT security programs apply to all\n       organizations (sources) which possess or use Federal information \xe2\x80\x93 or which operate, use,\n       or have access to Federal information systems \xe2\x80\x93 on behalf of a Federal agency. Such\n       other organizations may include contractors, grantees, State and local governments,\n       industry partners, etc.\xe2\x80\x9d Later in the same paragraph, the guidance states, \xe2\x80\x9cAgencies must\n       develop policies for information security oversight of contractors and other users with\n       privileged access to Federal data. Agencies must also review the security of other users\n       with privileged access to Federal data and systems.\xe2\x80\x9d Although the States may not be\n       using the data on behalf of the IRS, they clearly have privileged access to the data and,\n       therefore, we believe the OMB intends for the States to be included in the IRS\xe2\x80\x99 security\n       program. To resolve this issue, we have requested a formal opinion from the OMB.\nRecommendation 2: If States receiving Federal tax information are required to comply with\nthe FISMA requirements, require States to submit more useful and indepth self-assessments\nannually, using NIST Special Publication 800-53, with their Safeguard Activity Reports. These\nself-assessments should be used by the MA&SS organization to better focus the scope of its\nSafeguard Reviews, resulting in a more efficient use of resources. Additionally, as part of the\noversight of entities receiving Federal tax information, the Chief, MA&SS, should require the\nStates to submit Plans of Actions and Milestones to track corrective actions at the States and\nfollow up on prior issues identified.\n       Management\xe2\x80\x99s Response: Although the Chief, MA&SS, disagreed that the FISMA\n       requirements apply to State agencies receiving Federal tax information, he agreed to\n       revise Tax Information Security Guidelines for Federal, State and Local Agencies\n       (Publication 1075) to incorporate the recommended security controls described in the\n       NIST Special Publication 800-53. The MA&SS organization will use Plans of Actions\n       and Milestones as part of a new process to better manage recommended corrective\n       actions.\nRecommendation 3: Improve the scope of the IRS Safeguard Reviews by following NIST\nSpecial Publication 800-53 guidance.\n       Management\xe2\x80\x99s Response: The Chief, MA&SS, agreed with this recommendation\n       and will incorporate NIST Special Publication 800-53 standards into the computer\n       security Safeguard Review process. However, the Chief, MA&SS, stated that, because\n       the States are not subject to the FISMA, it may not be practical to incorporate all of the\n       recommended controls from NIST Special Publication 800-53 into the Safeguard Review\n       methodology. IRS Publication 1075 will be updated to incorporate the viable\n\n                                                                                             Page 7\n\x0c                     Increased IRS Oversight of State Agencies Is Needed\n                        to Ensure Federal Tax Information Is Protected\n\n\n\n      recommended security controls in NIST Special Publication 800-53, allowing for some\n      flexibility in the requirements imposed for the States as appropriate.\nRecommendation 4: Assign more staffing to the MA&SS organization\xe2\x80\x99s Safeguards\nProgram so adequate oversight can be provided to the States.\n      Management\xe2\x80\x99s Response: The Chief, MA&SS, agreed with this recommendation\n      and will determine the staffing needs for the additional workload items presented in this\n      report. In the interim, MA&SS organization personnel have been identified to assist in\n      conducting the computer security reviews.\n\n\n\n\n                                                                                          Page 8\n\x0c                      Increased IRS Oversight of State Agencies Is Needed\n                         to Ensure Federal Tax Information Is Protected\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe objective of this review was to determine whether State tax agencies were protecting Federal\ntax information from unauthorized use and disclosure. To accomplish this objective, we:\nI.     Visited four large State tax agencies located in Michigan, Illinois, New York, and Texas\n       to review physical and computer security controls over Federal tax information. From a\n       population of 50 States, we selected the 4 most populous States that the IRS had not\n       scheduled for review in Fiscal Years 2004 and 2005.\n       A. Reviewed the States\xe2\x80\x99 physical security over Federal tax information.\n       B. Reviewed the States\xe2\x80\x99 controls over access to Federal tax information.\n       C. Determined whether the States used audit trails to detect improper accesses to\n          computers used to process and store Federal tax information. We determined whether\n          audit trails were turned on and reviewed on a regular basis.\n       D. Determined whether the States used firewalls to prevent improper access to\n          computers that process and store Federal tax information.\n       E. Determined whether intrusion detection systems were used to continuously monitor\n          systems that process and store Federal tax information and how intrusion detection\n          systems were deployed.\n       F. Determined the extent to which the States self-reviewed their systems.\nII.    Reviewed coverage given to computer security during the Internal Revenue Service\n       Safeguard Reviews.\n       A. Reviewed procedures and guidelines used by Internal Revenue Service reviewers and\n          computer security specialists for performing Safeguard Reviews and for performing\n          the computer security portion of Safeguard Reviews.\n       B. Reviewed the coverage given to computer security during Safeguard Reviews. We\n          obtained documentation on Safeguard Reviews for the four State tax agencies.\nIII.   Reviewed the Mission Assurance and Security Service organization\xe2\x80\x99s monitoring of\n       corrective actions. We determined how it ensured State tax agencies implemented\n       meaningful and timely corrective actions to computer security deficiencies in Safeguard\n       Review Reports.\n\n\n\n                                                                                         Page 9\n\x0c                     Increased IRS Oversight of State Agencies Is Needed\n                        to Ensure Federal Tax Information Is Protected\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nGerald H. Horn, Audit Manager\nDan Ardeleano, Senior Auditor\nBret D. Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nAbraham Millado, Senior Auditor\nJoan Raniolo, Senior Auditor\n\n\n\n\n                                                                                         Page 10\n\x0c                    Increased IRS Oversight of State Agencies Is Needed\n                       to Ensure Federal Tax Information Is Protected\n\n\n\n                                                                      Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn.: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaison: Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                            Page 11\n\x0c       Increased IRS Oversight of State Agencies Is Needed\n          to Ensure Federal Tax Information Is Protected\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                             Page 12\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 13\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 14\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 15\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 16\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 17\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 18\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 19\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 20\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 21\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 22\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 23\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 24\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 25\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 26\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 27\n\x0cIncreased IRS Oversight of State Agencies Is Needed\n   to Ensure Federal Tax Information Is Protected\n\n\n\n\n                                                      Page 28\n\x0c'